The Patient Spammer and the Cloud

Whenever I sign up to an online service, I use a unique email address. That way when spam starts coming in I can see whose fault it is. I’m suddenly getting rather a lot of spam, sent from disposable email accounts (e.g. Yahoo) and directing me to various scam websites registered in Russia. All at once, from multiple vectors. That’s the part that worries me; here’s why.

First: here is the list of organisations that have leaked my email address to spammers (most probably because they have been compromised):

Spotlight – I’m a “VIP member” of this store, which apparently means that I want Russian spammers to sell me a counterfeit watch.

Webjam – I presented at Webjam once, so this may not be a leak from their website – I gave out this address to the entire audience so anyone there could be the source of the leak.

Saasu – online (cloud) accounting. If I can’t trust them with my email address, I’m not going to trust them with my financial data.

Xero – as above. This is a pretty severe problem in both cases; I’ve signed up for free trials of two cloud accounting services and both have leaked my email address to Russian spammers.

I’m getting about 40 spams a day at the moment, all through the above vectors. I’m redirecting those email addresses into the void now.

(I’m getting about another 40 spams each day to my ACM and SIGGRAPH addresses, but those are all obvious enough that Apple Mail’s spam filters are catching them for me. And oddly, none of those are in English.)

I’ve been signing up for online services this way for a long time, and it’s only recently that they have become a serious vector for spam. And the spam is pretty consistently for the same group of Russian-registered sites.

I wonder how long my personal information has been accumulating, being leaked, then sold, then finally used. I wonder whether other cloud services that I’m actually using have been compromised (as opposed to ones I’ve only signed up for and not entered data into). I wonder how long the attackers will wait, accumulating more personal information on us, and how damaging the resulting identity-theft storm might be.

This entry was posted
on Tuesday, September 14th, 2010 at 11:08 am and is filed under social.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.